Skip to main content

Security

Trust, posture, and proof.

What Cavaridge does to keep your data safe — stated honestly. No premature attestation claims; if it says we have it, we have it.

Operator + legal review pending. PROD-09 ships this surface in mechanical form. Sub-processor evidence links, SOC 2 target window, and per-row legal sign-off are tracked indocs/build/production/log/PROD-09-NOTES.md.

SOC 2 Type II

In progress. Auditor engagement letter target window will be published here once signed. We will NOT display a SOC 2 logo or claim the attestation before issuance.

HIPAA

Standard BAA available for the Healthcare suite (Cavaridge AEGIS healthcare scope, Cavaridge Ember in production cutover, future PHI-bearing surfaces). Request a BAA →

ISO 27001

Not pursued in v1. Operator will reassess against the customer base in the Q4 2026 review window.

How data flows

  • Customer-facing apps run on Railway (us-west region parity); every service binds 0.0.0.0 behind Cloudflare TLS.
  • The platform database is a single Supabase project (cavaridge-platform-prod, us-west-2 / Oregon) with row-level security per tenant_id.
  • Stripe handles all payment data; card numbers are tokenized by Stripe Elements and never enter Cavaridge surfaces.
  • All in-app LLM calls route through the Cavaridge AI gateway (Spaniel) → OpenRouter → underlying model providers. No app holds an LLM API key directly.
  • Secrets live in Doppler; staging and prod environments never read committed .env files.
  • The status surface at status.cavaridge.app runs from a separate Supabase project so a platform outage cannot take down the status page.

Tenant isolation (Universal Tenant Model)

Cavaridge enforces multi-tenant isolation at three layers, described in the docs/architecture/CVG-UTM-CONFORMANCE-v1.0.0-20260315.md architecture document:

  • Database: every tenant-scoped table has a required tenant_id FK, and RLS policies route through auth.tenant_visible().
  • API: every Express route mountstenantGuard() middleware that fails closed if the request has no resolvable tenant.
  • UI: every app wraps in TenantProvider; client code reads tenant via context, never via URL parameter.

Cavaridge Nurse Tools is the documented carve-out (no auth, no tenant); every other surface enforces all three.

Sub-processors

The complete list of sub-processors that may process customer data is published at /trust/subprocessors. Material changes are notified to BAA-covered tenants at least 30 days in advance.

Vulnerability disclosure

Cavaridge runs a vulnerability disclosure program (VDP) with scope, safe-harbor language, and contact details at /security/disclosure.

Report security issues to security@cavaridge.com. PGP key on the disclosure page.

Incident response

Live status: status.cavaridge.app. Postmortems for Severity-1 and Severity-2 incidents are published per the template at docs/build/production/templates/postmortem.md within 14 days of resolution.